1 /* $OpenBSD: tls13_server.c,v 1.74 2021/03/29 16:46:09 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_tlsext.h" 23 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * If we got no pre_shared_key, then signature_algorithms and 112 * supported_groups must both be present. 113 */ 114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 116 return 0; 117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 118 return 0; 119 } 120 121 /* 122 * supported_groups and key_share must either both be present or 123 * both be absent. 124 */ 125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 127 return 0; 128 129 /* 130 * XXX - Require server_name from client? If so, we SHOULD enforce 131 * this here - RFC 8446, 9.2. 132 */ 133 134 return 1; 135 } 136 137 static const uint8_t tls13_compression_null_only[] = { 0 }; 138 139 static int 140 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 141 { 142 CBS cipher_suites, client_random, compression_methods, session_id; 143 STACK_OF(SSL_CIPHER) *ciphers = NULL; 144 const SSL_CIPHER *cipher; 145 uint16_t legacy_version; 146 int alert_desc; 147 SSL *s = ctx->ssl; 148 int ret = 0; 149 150 if (!CBS_get_u16(cbs, &legacy_version)) 151 goto err; 152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 153 goto err; 154 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 155 goto err; 156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 157 goto err; 158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 159 goto err; 160 161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 162 if (!CBS_skip(cbs, CBS_len(cbs))) 163 goto err; 164 return tls13_use_legacy_server(ctx); 165 } 166 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 167 168 /* Add decoded values to the current ClientHello hash */ 169 if (!tls13_clienthello_hash_init(ctx)) { 170 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 171 goto err; 172 } 173 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 174 sizeof(legacy_version))) { 175 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 176 goto err; 177 } 178 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 179 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 180 goto err; 181 } 182 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 183 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 184 goto err; 185 } 186 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 187 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 188 goto err; 189 } 190 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 191 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 192 goto err; 193 } 194 195 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 196 ctx->alert = alert_desc; 197 goto err; 198 } 199 200 /* Finalize first ClientHello hash, or validate against it */ 201 if (!ctx->hs->tls13.hrr) { 202 if (!tls13_clienthello_hash_finalize(ctx)) { 203 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 204 goto err; 205 } 206 } else { 207 if (!tls13_clienthello_hash_validate(ctx)) { 208 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 209 goto err; 210 } 211 tls13_clienthello_hash_clear(&ctx->hs->tls13); 212 } 213 214 if (!tls13_client_hello_required_extensions(ctx)) { 215 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 216 goto err; 217 } 218 219 /* 220 * If we got this far we have a supported versions extension that offers 221 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 222 */ 223 if (legacy_version != TLS1_2_VERSION) { 224 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 225 goto err; 226 } 227 228 /* Store legacy session identifier so we can echo it. */ 229 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { 230 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 231 goto err; 232 } 233 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 234 sizeof(ctx->hs->tls13.legacy_session_id), 235 &ctx->hs->tls13.legacy_session_id_len)) { 236 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 237 goto err; 238 } 239 240 /* Parse cipher suites list and select preferred cipher. */ 241 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 242 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 243 goto err; 244 } 245 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 246 if (cipher == NULL) { 247 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 248 "no shared cipher found", NULL); 249 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 250 goto err; 251 } 252 ctx->hs->cipher = cipher; 253 254 sk_SSL_CIPHER_free(s->session->ciphers); 255 s->session->ciphers = ciphers; 256 ciphers = NULL; 257 258 /* Ensure only the NULL compression method is advertised. */ 259 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 260 sizeof(tls13_compression_null_only))) { 261 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 262 goto err; 263 } 264 265 ret = 1; 266 267 err: 268 sk_SSL_CIPHER_free(ciphers); 269 270 return ret; 271 } 272 273 int 274 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 275 { 276 SSL *s = ctx->ssl; 277 278 if (!tls13_client_hello_process(ctx, cbs)) 279 goto err; 280 281 /* See if we switched back to the legacy client method. */ 282 if (s->method->internal->version < TLS1_3_VERSION) 283 return 1; 284 285 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 286 287 /* 288 * If a matching key share was provided, we do not need to send a 289 * HelloRetryRequest. 290 */ 291 /* 292 * XXX - ideally NEGOTIATED would only be added after record protection 293 * has been enabled. This would probably mean using either an 294 * INITIAL | WITHOUT_HRR state, or another intermediate state. 295 */ 296 if (ctx->hs->tls13.key_share != NULL) 297 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 298 299 /* XXX - check this is the correct point */ 300 tls13_record_layer_allow_ccs(ctx->rl, 1); 301 302 return 1; 303 304 err: 305 return 0; 306 } 307 308 static int 309 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 310 { 311 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 312 const uint8_t *server_random; 313 CBB session_id; 314 SSL *s = ctx->ssl; 315 uint16_t cipher; 316 317 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 318 server_random = s->s3->server_random; 319 320 if (hrr) { 321 server_random = tls13_hello_retry_request_hash; 322 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 323 } 324 325 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 326 goto err; 327 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 328 goto err; 329 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 330 goto err; 331 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 332 ctx->hs->tls13.legacy_session_id_len)) 333 goto err; 334 if (!CBB_add_u16(cbb, cipher)) 335 goto err; 336 if (!CBB_add_u8(cbb, 0)) 337 goto err; 338 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 339 goto err; 340 341 if (!CBB_flush(cbb)) 342 goto err; 343 344 return 1; 345 err: 346 return 0; 347 } 348 349 static int 350 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 351 { 352 struct tls13_secrets *secrets; 353 struct tls13_secret context; 354 unsigned char buf[EVP_MAX_MD_SIZE]; 355 uint8_t *shared_key = NULL; 356 size_t shared_key_len = 0; 357 size_t hash_len; 358 SSL *s = ctx->ssl; 359 int ret = 0; 360 361 if (!tls13_key_share_derive(ctx->hs->tls13.key_share, 362 &shared_key, &shared_key_len)) 363 goto err; 364 365 s->session->cipher = ctx->hs->cipher; 366 367 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 368 goto err; 369 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 370 goto err; 371 372 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 373 goto err; 374 ctx->hs->tls13.secrets = secrets; 375 376 /* XXX - pass in hash. */ 377 if (!tls1_transcript_hash_init(s)) 378 goto err; 379 tls1_transcript_free(s); 380 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 381 goto err; 382 context.data = buf; 383 context.len = hash_len; 384 385 /* Early secrets. */ 386 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 387 secrets->zeros.len, &context)) 388 goto err; 389 390 /* Handshake secrets. */ 391 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 392 shared_key_len, &context)) 393 goto err; 394 395 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 396 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 397 398 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 399 &secrets->client_handshake_traffic)) 400 goto err; 401 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 402 &secrets->server_handshake_traffic)) 403 goto err; 404 405 ctx->handshake_stage.hs_type |= NEGOTIATED; 406 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 407 ctx->handshake_stage.hs_type |= WITHOUT_CR; 408 409 ret = 1; 410 411 err: 412 freezero(shared_key, shared_key_len); 413 return ret; 414 } 415 416 int 417 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 418 { 419 int nid; 420 421 ctx->hs->tls13.hrr = 1; 422 423 if (!tls13_synthetic_handshake_message(ctx)) 424 return 0; 425 426 if (ctx->hs->tls13.key_share != NULL) 427 return 0; 428 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 429 return 0; 430 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) 431 return 0; 432 433 if (!tls13_server_hello_build(ctx, cbb, 1)) 434 return 0; 435 436 return 1; 437 } 438 439 int 440 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 441 { 442 /* 443 * If the client has requested middlebox compatibility mode, 444 * we MUST send a dummy CCS following our first handshake message. 445 * See RFC 8446 Appendix D.4. 446 */ 447 if (ctx->hs->tls13.legacy_session_id_len > 0) 448 ctx->send_dummy_ccs_after = 1; 449 450 return 1; 451 } 452 453 int 454 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 455 { 456 SSL *s = ctx->ssl; 457 458 if (!tls13_client_hello_process(ctx, cbs)) 459 return 0; 460 461 /* XXX - need further checks. */ 462 if (s->method->internal->version < TLS1_3_VERSION) 463 return 0; 464 465 ctx->hs->tls13.hrr = 0; 466 467 return 1; 468 } 469 470 static int 471 tls13_servername_process(struct tls13_ctx *ctx) 472 { 473 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 474 475 if (!tls13_legacy_servername_process(ctx, &alert)) { 476 ctx->alert = alert; 477 return 0; 478 } 479 480 return 1; 481 } 482 483 int 484 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 485 { 486 if (ctx->hs->tls13.key_share == NULL) 487 return 0; 488 if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) 489 return 0; 490 if (!tls13_servername_process(ctx)) 491 return 0; 492 493 ctx->hs->tls13.server_group = 0; 494 495 if (!tls13_server_hello_build(ctx, cbb, 0)) 496 return 0; 497 498 return 1; 499 } 500 501 int 502 tls13_server_hello_sent(struct tls13_ctx *ctx) 503 { 504 /* 505 * If the client has requested middlebox compatibility mode, 506 * we MUST send a dummy CCS following our first handshake message. 507 * See RFC 8446 Appendix D.4. 508 */ 509 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 510 ctx->hs->tls13.legacy_session_id_len > 0) 511 ctx->send_dummy_ccs_after = 1; 512 513 return tls13_server_engage_record_protection(ctx); 514 } 515 516 int 517 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 518 { 519 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 520 goto err; 521 522 return 1; 523 err: 524 return 0; 525 } 526 527 int 528 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 529 { 530 CBB certificate_request_context; 531 532 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 533 goto err; 534 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 535 goto err; 536 537 if (!CBB_flush(cbb)) 538 goto err; 539 540 return 1; 541 err: 542 return 0; 543 } 544 545 static int 546 tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 547 int *ok, const struct ssl_sigalg **out_sigalg) 548 { 549 const struct ssl_sigalg *sigalg; 550 SSL *s = ctx->ssl; 551 552 *ok = 0; 553 *out_sigalg = NULL; 554 555 if (cpk->x509 == NULL || cpk->privatekey == NULL) 556 goto done; 557 558 if (!X509_check_purpose(cpk->x509, -1, 0)) 559 return 0; 560 561 /* 562 * The digitalSignature bit MUST be set if the Key Usage extension is 563 * present as per RFC 8446 section 4.4.2.2. 564 */ 565 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 566 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) 567 goto done; 568 569 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 570 goto done; 571 572 *ok = 1; 573 *out_sigalg = sigalg; 574 575 done: 576 return 1; 577 } 578 579 static int 580 tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 581 const struct ssl_sigalg **out_sigalg) 582 { 583 SSL *s = ctx->ssl; 584 const struct ssl_sigalg *sigalg; 585 CERT_PKEY *cpk; 586 int cert_ok; 587 588 *out_cpk = NULL; 589 *out_sigalg = NULL; 590 591 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 592 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 593 return 0; 594 if (cert_ok) 595 goto done; 596 597 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 598 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 599 return 0; 600 if (cert_ok) 601 goto done; 602 603 cpk = NULL; 604 sigalg = NULL; 605 606 done: 607 *out_cpk = cpk; 608 *out_sigalg = sigalg; 609 610 return 1; 611 } 612 613 int 614 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 615 { 616 SSL *s = ctx->ssl; 617 CBB cert_request_context, cert_list; 618 const struct ssl_sigalg *sigalg; 619 X509_STORE_CTX *xsc = NULL; 620 STACK_OF(X509) *chain; 621 CERT_PKEY *cpk; 622 X509 *cert; 623 int i, ret = 0; 624 625 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 626 goto err; 627 628 if (cpk == NULL) { 629 /* A server must always provide a certificate. */ 630 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 631 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 632 "no server certificate", NULL); 633 goto err; 634 } 635 636 ctx->hs->tls13.cpk = cpk; 637 ctx->hs->tls13.sigalg = sigalg; 638 639 if ((chain = cpk->chain) == NULL) 640 chain = s->ctx->extra_certs; 641 642 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 643 if ((xsc = X509_STORE_CTX_new()) == NULL) 644 goto err; 645 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 646 goto err; 647 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 648 X509_V_FLAG_LEGACY_VERIFY); 649 X509_verify_cert(xsc); 650 ERR_clear_error(); 651 chain = xsc->chain; 652 } 653 654 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 655 goto err; 656 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 657 goto err; 658 659 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 660 goto err; 661 662 for (i = 0; i < sk_X509_num(chain); i++) { 663 cert = sk_X509_value(chain, i); 664 665 /* 666 * In the case of auto chain, the leaf certificate will be at 667 * the top of the chain - skip over it as we've already added 668 * it earlier. 669 */ 670 if (i == 0 && cert == cpk->x509) 671 continue; 672 673 /* 674 * XXX we don't send extensions with chain certs to avoid sending 675 * a leaf ocsp staple with the chain certs. This needs to get 676 * fixed. 677 */ 678 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 679 goto err; 680 } 681 682 if (!CBB_flush(cbb)) 683 goto err; 684 685 ret = 1; 686 687 err: 688 X509_STORE_CTX_free(xsc); 689 690 return ret; 691 } 692 693 int 694 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 695 { 696 const struct ssl_sigalg *sigalg; 697 uint8_t *sig = NULL, *sig_content = NULL; 698 size_t sig_len, sig_content_len; 699 EVP_MD_CTX *mdctx = NULL; 700 EVP_PKEY_CTX *pctx; 701 EVP_PKEY *pkey; 702 const CERT_PKEY *cpk; 703 CBB sig_cbb; 704 int ret = 0; 705 706 memset(&sig_cbb, 0, sizeof(sig_cbb)); 707 708 if ((cpk = ctx->hs->tls13.cpk) == NULL) 709 goto err; 710 if ((sigalg = ctx->hs->tls13.sigalg) == NULL) 711 goto err; 712 pkey = cpk->privatekey; 713 714 if (!CBB_init(&sig_cbb, 0)) 715 goto err; 716 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 717 sizeof(tls13_cert_verify_pad))) 718 goto err; 719 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 720 strlen(tls13_cert_server_verify_context))) 721 goto err; 722 if (!CBB_add_u8(&sig_cbb, 0)) 723 goto err; 724 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 725 ctx->hs->tls13.transcript_hash_len)) 726 goto err; 727 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 728 goto err; 729 730 if ((mdctx = EVP_MD_CTX_new()) == NULL) 731 goto err; 732 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 733 goto err; 734 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 735 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 736 goto err; 737 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 738 goto err; 739 } 740 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 741 goto err; 742 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 743 goto err; 744 if ((sig = calloc(1, sig_len)) == NULL) 745 goto err; 746 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 747 goto err; 748 749 if (!CBB_add_u16(cbb, sigalg->value)) 750 goto err; 751 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 752 goto err; 753 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 754 goto err; 755 756 if (!CBB_flush(cbb)) 757 goto err; 758 759 ret = 1; 760 761 err: 762 if (!ret && ctx->alert == 0) 763 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 764 765 CBB_cleanup(&sig_cbb); 766 EVP_MD_CTX_free(mdctx); 767 free(sig_content); 768 free(sig); 769 770 return ret; 771 } 772 773 int 774 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 775 { 776 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 777 struct tls13_secret context = { .data = "", .len = 0 }; 778 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 779 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 780 size_t transcript_hash_len; 781 uint8_t *verify_data; 782 size_t verify_data_len; 783 unsigned int hlen; 784 HMAC_CTX *hmac_ctx = NULL; 785 CBS cbs; 786 int ret = 0; 787 788 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 789 goto err; 790 791 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 792 &secrets->server_handshake_traffic, "finished", 793 &context)) 794 goto err; 795 796 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 797 sizeof(transcript_hash), &transcript_hash_len)) 798 goto err; 799 800 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 801 goto err; 802 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 803 ctx->hash, NULL)) 804 goto err; 805 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 806 goto err; 807 808 verify_data_len = HMAC_size(hmac_ctx); 809 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 810 goto err; 811 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 812 goto err; 813 if (hlen != verify_data_len) 814 goto err; 815 816 CBS_init(&cbs, verify_data, verify_data_len); 817 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 818 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 819 goto err; 820 821 ret = 1; 822 823 err: 824 tls13_secret_cleanup(&finished_key); 825 HMAC_CTX_free(hmac_ctx); 826 827 return ret; 828 } 829 830 int 831 tls13_server_finished_sent(struct tls13_ctx *ctx) 832 { 833 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 834 struct tls13_secret context = { .data = "", .len = 0 }; 835 836 /* 837 * Derive application traffic keys. 838 */ 839 context.data = ctx->hs->tls13.transcript_hash; 840 context.len = ctx->hs->tls13.transcript_hash_len; 841 842 if (!tls13_derive_application_secrets(secrets, &context)) 843 return 0; 844 845 /* 846 * Any records following the server finished message must be encrypted 847 * using the server application traffic keys. 848 */ 849 return tls13_record_layer_set_write_traffic_key(ctx->rl, 850 &secrets->server_application_traffic); 851 } 852 853 int 854 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 855 { 856 CBS cert_request_context, cert_list, cert_data, cert_exts; 857 struct stack_st_X509 *certs = NULL; 858 SSL *s = ctx->ssl; 859 X509 *cert = NULL; 860 EVP_PKEY *pkey; 861 const uint8_t *p; 862 int cert_idx; 863 int ret = 0; 864 865 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 866 goto err; 867 if (CBS_len(&cert_request_context) != 0) 868 goto err; 869 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 870 goto err; 871 if (CBS_len(&cert_list) == 0) { 872 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 873 return 1; 874 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 875 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 876 "peer did not provide a certificate", NULL); 877 goto err; 878 } 879 880 if ((certs = sk_X509_new_null()) == NULL) 881 goto err; 882 while (CBS_len(&cert_list) > 0) { 883 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 884 goto err; 885 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 886 goto err; 887 888 p = CBS_data(&cert_data); 889 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 890 goto err; 891 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 892 goto err; 893 894 if (!sk_X509_push(certs, cert)) 895 goto err; 896 897 cert = NULL; 898 } 899 900 /* 901 * At this stage we still have no proof of possession. As such, it would 902 * be preferable to keep the chain and verify once we have successfully 903 * processed the CertificateVerify message. 904 */ 905 if (ssl_verify_cert_chain(s, certs) <= 0) { 906 ctx->alert = ssl_verify_alarm_type(s->verify_result); 907 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 908 "failed to verify peer certificate", NULL); 909 goto err; 910 } 911 ERR_clear_error(); 912 913 cert = sk_X509_value(certs, 0); 914 X509_up_ref(cert); 915 916 if ((pkey = X509_get0_pubkey(cert)) == NULL) 917 goto err; 918 if (EVP_PKEY_missing_parameters(pkey)) 919 goto err; 920 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 921 goto err; 922 923 ssl_sess_cert_free(SSI(s)->sess_cert); 924 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 925 goto err; 926 927 SSI(s)->sess_cert->cert_chain = certs; 928 certs = NULL; 929 930 X509_up_ref(cert); 931 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 932 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 933 934 X509_free(s->session->peer); 935 936 X509_up_ref(cert); 937 s->session->peer = cert; 938 s->session->verify_result = s->verify_result; 939 940 ctx->handshake_stage.hs_type |= WITH_CCV; 941 ret = 1; 942 943 err: 944 sk_X509_pop_free(certs, X509_free); 945 X509_free(cert); 946 947 return ret; 948 } 949 950 int 951 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 952 { 953 const struct ssl_sigalg *sigalg; 954 uint16_t signature_scheme; 955 uint8_t *sig_content = NULL; 956 size_t sig_content_len; 957 EVP_MD_CTX *mdctx = NULL; 958 EVP_PKEY_CTX *pctx; 959 EVP_PKEY *pkey; 960 X509 *cert; 961 CBS signature; 962 CBB cbb; 963 int ret = 0; 964 965 memset(&cbb, 0, sizeof(cbb)); 966 967 if (!CBS_get_u16(cbs, &signature_scheme)) 968 goto err; 969 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 970 goto err; 971 972 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 973 tls13_sigalgs_len)) == NULL) 974 goto err; 975 976 if (!CBB_init(&cbb, 0)) 977 goto err; 978 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 979 sizeof(tls13_cert_verify_pad))) 980 goto err; 981 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 982 strlen(tls13_cert_client_verify_context))) 983 goto err; 984 if (!CBB_add_u8(&cbb, 0)) 985 goto err; 986 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 987 ctx->hs->tls13.transcript_hash_len)) 988 goto err; 989 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 990 goto err; 991 992 if ((cert = ctx->ssl->session->peer) == NULL) 993 goto err; 994 if ((pkey = X509_get0_pubkey(cert)) == NULL) 995 goto err; 996 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 997 goto err; 998 999 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 1000 goto err; 1001 1002 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1003 goto err; 1004 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1005 goto err; 1006 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1007 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1008 goto err; 1009 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1010 goto err; 1011 } 1012 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1013 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1014 goto err; 1015 } 1016 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1017 CBS_len(&signature)) <= 0) { 1018 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1019 goto err; 1020 } 1021 1022 ret = 1; 1023 1024 err: 1025 if (!ret && ctx->alert == 0) 1026 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1027 1028 CBB_cleanup(&cbb); 1029 EVP_MD_CTX_free(mdctx); 1030 free(sig_content); 1031 1032 return ret; 1033 } 1034 1035 int 1036 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1037 { 1038 return 0; 1039 } 1040 1041 int 1042 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1043 { 1044 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1045 struct tls13_secret context = { .data = "", .len = 0 }; 1046 struct tls13_secret finished_key; 1047 uint8_t *verify_data = NULL; 1048 size_t verify_data_len; 1049 uint8_t key[EVP_MAX_MD_SIZE]; 1050 HMAC_CTX *hmac_ctx = NULL; 1051 unsigned int hlen; 1052 int ret = 0; 1053 1054 /* 1055 * Verify client finished. 1056 */ 1057 finished_key.data = key; 1058 finished_key.len = EVP_MD_size(ctx->hash); 1059 1060 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1061 &secrets->client_handshake_traffic, "finished", 1062 &context)) 1063 goto err; 1064 1065 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1066 goto err; 1067 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1068 ctx->hash, NULL)) 1069 goto err; 1070 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1071 ctx->hs->tls13.transcript_hash_len)) 1072 goto err; 1073 verify_data_len = HMAC_size(hmac_ctx); 1074 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1075 goto err; 1076 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1077 goto err; 1078 if (hlen != verify_data_len) 1079 goto err; 1080 1081 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1082 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1083 goto err; 1084 } 1085 1086 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1087 sizeof(ctx->hs->peer_finished), 1088 &ctx->hs->peer_finished_len)) 1089 goto err; 1090 1091 if (!CBS_skip(cbs, verify_data_len)) 1092 goto err; 1093 1094 /* 1095 * Any records following the client finished message must be encrypted 1096 * using the client application traffic keys. 1097 */ 1098 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1099 &secrets->client_application_traffic)) 1100 goto err; 1101 1102 tls13_record_layer_allow_ccs(ctx->rl, 0); 1103 1104 ret = 1; 1105 1106 err: 1107 HMAC_CTX_free(hmac_ctx); 1108 free(verify_data); 1109 1110 return ret; 1111 } 1112